Databases Reference
In-Depth Information
layer so that it takes place regardless of the external interface used to access
the database. Within the database engine, SQL parsing and QGM transfor-
mation are the initial steps of query processing as described in Figure 2. Policy
enforcement would be performed at this point in query processing, directly on
the QGM representation of the database system. Thereafter, further database
query processing occurs on the modified QGM graph implementing policy en-
forcement. Nevertheless, integrating enforcement within the database layer
implies access to and knowledge of specific database product implementations
and eliminates the database agnostic benefit of the middleware approach.
In addition, others have developed a system for enforcing fine-grained ac-
cess control policies over XML data [7]. XML extends the flat tabular struc-
ture of relational tables with hierarchical structures used to model complex
objects. XML represents complex objects as trees in which element nodes are
root, intermediate or leaf nodes of the tree and other node types, such as text
strings or attributes, are leaf nodes. Policy enforcement rules can target any
part of the XML tree; not only the leaves. XML privacy/security policies are
specified as individual positive or negative rules that grant or deny access to
information represented as XML. A rule describes the users governed by the
rule, the documents over which authority is granted or denied, the portion of
the document governed by the rule (the portion is rooted at a sub-tree of the
document), whether access is for the full sub-tree or only for root nodes of
the sub-tree and the type of operation allowed or denied (access or update).
While these policy semantics are different than those defined for active
enforcement for relational databases, a similar policy language for XML could
be created to conform to HDB policy semantics. For example, HDB has only
positive authorizations and access is denied in absence of any authorization;
therefore, negative authorizations would not be used in the specification.
3.2 Compliance Auditing
A second enabling technology of a Hippocratic database is compliance audit-
ing, which tracks past disclosures of information to support investigations of
suspicious disclosures [8]. This HDB auditing component allows enterprises
to ascertain the identities of those who have accessed a particular item of
information in the database, the date and time of each query, the purpose of
access, the final recipient, and the exact information disclosed. This capability
greatly enhances the accountability of database systems and deters wrongful
access and disclosure. By allowing enterprises to verify compliance with pri-
vacy policies and respond to individual challenges, this auditing component
supports the HDB compliance principle.
HDB compliance auditing is a significant innovation over conventional au-
diting systems that log the results of every query. Enterprises often turn off
these result logging systems because they consume considerable storage and
computational resources [9]. HDB addresses this problem by logging only the
